Judgments in to two separate group actions relating to vicarious liability were handed down by the Supreme Court on April Fools’ Day.  Fittingly, the Supreme Court took the opportunity to tie up some loose ends. While the decisions do not necessarily develop the law relating to vicarious liability, there are interesting ramifications relating to claims for data breach.

Various Claimants v Barclays

The Facts

Dr Bates was a medic who was instructed by the appellant to carry out examinations on members of staff joining the company.  The purpose of the medical was to confirm that they were eligible for a life insurance product which came as one of the employee benefits. Dr Bates used these opportunities to sexually abuse some of the prospective employees.

Dr Bates was not an employee of B. He died in 2009 and his estate was distributed and wound up.  Unable to bring a claim against Dr Bates, multiple Claimants brought a claim against B on the basis that B was vicariously liable for his Torts. 

First Instance & Court of Appeal

The Claimants based their argument on the decisions in Cox v Ministry of Justice [2016] and Armes v Nottinghamshire CC [2017].  Specifically, in this instance they contended that it was fair, just and reasonable for vicarious liability to be imposed on B for the torts of Dr Bates, even though he was not an employee of B.  This was accepted by the trial judge and by the Court of Appeal, who both found in favour of the Claimants.   

Appeal to the Supreme Court

B appealed to the Supreme Court. Their case was simply that an organisation which engaged an independent contractor was not liable for that contractor’s torts.

In the leading judgment, Lady Hale carried out a thorough review of the case law, and in particular the cases of Armes and Cox referred to above.  Both cases established situations where it was suitable to broaden the scope of vicarious liability.  In Cox the Supreme Court found the Ministry of Justice liable for torts committed by prisoners who were acting under the direction of the prison catering manager.  In Cox, the Court employed a five-point test to consider what elements or incidents could be taken into account. This was then applied in Armes, where the Supreme Court held that a local authority was liable for the torts of a foster carer on the basis that it was fair, just and reasonable. 

Despite the above, Lady Hale was able to come to a rather swift conclusion without applying either case.  The key question (which has its roots in the case of Quarman v Burnett (1840)) was posed below:

“[W]hether the tortfeasor is carrying on business on his own account or whether he is in a relationship akin to employment with the defendant. “

While the five step process outlined in Cox is useful in cases where it might be unclear, where it was clear that the tortfeasor was carrying on his own business, these steps were not required.

The appeal was allowed.

Various Claimants v WM Morrisons

The Facts

S, a senior auditor employed by the appellant M, disclosed the data of 98,998 employees of M externally.

S had access to the personal data in order to carry out his role as an auditor, namely to disclose the data to an external audit company. However, S apparently held a grudge against M following a previous disciplinary process.   Of his own volition, S uploaded the data to a publicly accessible website. S then removed the data 4 months later but made a copy and sent the data to three newspapers. The newspapers alerted M, and M spent over £2.26m dealing with the aftermath, a significant amount of which went on protecting the employees’ identity.

A group action was brought against M by a number of employees who were affected by the breach. It was argued that M was vicariously liable for S’s breach of statutory duty under section 4(4) of the Data Protection Act 1998 (DPA), misuse of private information and breach of confidence.

First instance

The important issue of whether the DPA excludes vicarious liability was considered.  Langstaff J rejected that M were themselves responsible but found that S was in breach of the DPA, had misused the employees’ private information, and had breached his duty of confidence. Langstaff J concluded that the disclosure of the data was sufficiently connected to S’s role as an auditor for M to be vicariously liable for the disclosure.

Broadly speaking, the Court of Appeal agreed.

The appeal to the Supreme Court

The grounds for appeal were as follows:

  1. Whether M was vicariously liable for S’s conduct; if yes
  2. Whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA;
  3. Whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence.

In consideration of point 1, the Court reviewed what appeared to be conflicting guidance provided by the recent case of Mohamud v W M Morrisons and previously establish line of case law provided in cases such as Various Claimants v Catholic Child Welfare Society [2013].

Lord Toulson in Mohamud, (which involved an unprovoked attack on a member of public by an employee of the Defendant) had found the Defendant to be vicariously liable on the basis that there was an unbroken chain of events connecting the employee’s work to the attack..

The Supreme Court then considered the case of Various Claimants v Catholic Child Welfare Society [2013].  In that case five factors were listed by Lord Philips. When the five factors are answered in the affirmative, the question to ask is not whether the wrongdoing is so closely connected to the employment that vicarious liability ought to be imposed, but whether the actions taken by the wrongdoer is sufficiently akin to the employee’s role that vicarious liability does apply.

Lord Reed’s conclusion in the Supreme Court was that S’s wrongful act was undertaken on account of personal motivation (i.e. a grudge against M) and that although there was a close link between S’s employment and the wrongful act, it could not be said that he was acting in the ordinary course of his employment. As such M were not vicariously liable for S’s actions.


Whilst not overturning the previous decisions, these two cases do push back against the previous steady growth of the ambit of vicarious liability. In this instance rogue employees and independent contractors were not covered by vicarious liability. That said, the decisions do not go as far as to prevent a further Mohamud or Armes from being decided again.

As an interesting aside, Lord Reed considered whether the DPA excludes vicarious liability. Ultimately it was considered that an employer can be held vicariously liable for the actions of an employee where that employee has breached the DPA.


For further support and advice relating to the impact of COVID-19, please view our COVID-19 Advisory Service page.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.